MID-043: Manage Default Login Credentials
Mitigation Tier: Foundational
Description
If it is necessary for a device to ship with default passwords for user accounts, these passwords should be unique, random, and not based on any inherent device properties (such as serial number or MAC address). Additionally, these default passwords should be at least 8 characters long and contain a mix of uppercase and lowercase letters and numbers. Users can access these default passwords through physical access to the device or the device’s documentation delivered with the hardware.
Users can be prompted upon the first-time use of the device to change the default passwords and should be able to change them at any time after.
In some cases, it may be better to ship a device without default credentials. In this scenario, users can be prompted upon first use of the device to set credentials.
IEC 62443 4-2 Mappings
CR 1.1 – Human user identification and authentication - RE (1) Unique identification and authentication
CR 1.5 - Authenticator management
References
[1] CISA. “Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software.” cisa.gov. Accessed: Aug. 28, 2024. [Online.] Available: https://www.cisa.gov/sites/default/files/2023-10/SecureByDesign_1025_508c.pdf
[2] P. Grassi, J. Fenton, E. Newton, R. Perlner, A. Regensheid, W. Burr, J. Richer, N. Lefkovitz, J. Danker, Y. Choong, K. Greene, and M. Theofanos. “NIST 800-63B - Digital Identity Guidelines - Authentication and Lifecycle Management.” nist.gov. Accessed: Aug. 28, 2024. [Online.] Available: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63b.pdf